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Offensive Computing, LLC 



Community Contributions 

- Free access to malware samples 

- Largest open malware site on the Internet 
— 350k hits per month 

"It's like an anti-virus company, but without 
that fake "We're better than you" attitude. " 
- Dave Aitel 

Business Services 
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Overview of Talk 



Problem Discussion 
Software Armoring Techniques 
Covert Debugging Requirements 
Dynamic Instrumentation for Debugging 
OS Pagefault Assisted Covert Debugging 
Application - Generic Autounpacking 
Results 
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What are the problems? 



Malware analysis necessary for defense 



Creating signatures 

Understanding attacks (targeted/untargeted) 
Data mining trends and unknown threats 
Determining phylogeny of variants 
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What are the problems? 



Malware wants to stop us from analyzing 
and understanding it 



Packing hinders our analysis 
Anti-analysis techniques 
Obfuscation hinders automation 
Automation is key to rapid analysis 
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What is the problem? 



Huge number of malware samples 

- Example: We have almost 300,000 

- More hitting victims every day 

Analyst time is expensive 

- Individual samples can take hours to analyze 

We must automate the process to keep up 

Packers degrade automation 

We need to automatically decrypt 
malware! 
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Previous Work 

Shadow Walker 

- Rootkit Memory Hiding 

- Jamie Butler, Sherrie Sparks 

PaX 

- Linux buffer-overflow prevention 

OllyBonE 

- Break on Execute for OllyDbg 

- Joe Stewart 

Memalyze 

- Tracing memory access 

- Skape 

PolyUnpack - Paul Royal et. al @ Georgia Tech 
Halvar's VxClass auto-unpacker 
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Gaps 



The available solutions are detectable 

Not all are fully automatable 

Smaller percentage of success 

Some rely on signature based techniques 

In some cases slow 

No one solution addresses all these 
problems 
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What we will show you 



Techniques that are a crucial step in the 
process of automating Malware decryption 

Example code that may help you in 
implementing your own automated 
decryption tools 

Ideas on what further steps are needed to 
solve the malware analysis automation 
problem 
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What we will not show 



This is research code, not production 
Proof-of-concept 

- a short and/or incomplete realization (or 
synopsis) of a certain method or idea(s) to 
demonstrate its feasibility, or a demonstration 
in principle, whose purpose is to verify that 
some concept or theory is probably capable of 
exploitation in a useful manner 
(wikipedia ftw) 
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mplications 



Analysis automation now within our reach 
Obfuscation no longer a major obstacle 
Ability to process 1000's of files rapidly 
Malware authors will have to step it up 

- Raising the bar 

Advanced tools/products can be developed 
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Software Armoring Overview 
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Software Armoring 



Packing/Encryption 
SEH Tricks 
VM Detection 
Debugger Detection 
Shifting Decode Frame 
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Packing/Encryption 



Self-modifying Runtime Code 

- Small Decoder Stub 

- Decompresses the main executable 

- Restores imports 

Play Tricks with Portable 
Executables 

- Hide the Imports 

- Obscure relocations 

- Encrypt/compress the executable 
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Normal PE File 



\m Mf-mo-ri 



+ 



Mpfbir 
•Iliad 




push 


ebp 


nou 


ebp f esp 


sub 


esp, 1Ch ; lpMsg 


call 


ds: imp GetDoimandLinelKlQ - 


push 


[ebp+nCnulShow] ; nCndShovj 


push 


eax ; int 


push 


[ebp+hPreu Instance] ; int 


push 


[<?bp+hinseance] ; hinstance 


call 


_FSolInit@16 ; FSolInit(x P : 


test 


eax, eax 


J* 


short locret_1001F13 


push 


esi 


HflU 


est* ds: imp Gel MessageM@16 


push 


edi 


nou 


[ebp+Msg .wParan] f 1 


Kor 


edi p edi 


inp 


short loc 1O01EFE 



DflS HiJicr 



HlfHf 

t/Uttan 
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Packed PE File 



I* McMI} 





4 



Hlfttf 

tiruis 



PE Fil, 



UlUipW OltJ 



«l« ii-:lkn 



.JlUllt'l 



i-sii i«ri*n 



5441141 Till! 



PE httttt 




flDS Huipr 




ri*1*i«ttM 




.flEt IKllDn 




HM*r 




D8SH*aitf 



Hi0ir 



H*89^25h, 

l*S89S9D6h, 

835V1AH/h t 

1ADB69F6h, 

0fl32flEE51»h 

2888 /Hl^h, 

0FF03C01Bh 

68B0F73h, 

0DEB0235Eh 

3F839FCh, 

0DBF01878h 

11C87'>'iHh, 

7618«H'i'ih, 

0C72FB3Bh, 

68DDC35Bh, 

8063D1FN, 

0E2F71FEBh 

5rt13B2C0h, 



*3D2DB68h, 7ll6C4863h p £ 
0FFF883E*»h, BEGBDlti^Dh, 
2E00FC65h, QF7848BEDh, 
67E*»0390h, 1007CF75h p ( 
, *6C223E9h i 9E0753Bh, E 
llFF6(!ifi8Ch, 0D1»n:tHDFh, 
, SOFiiBSAFh, 0B8FflC3*l8h f 
llDFFEFQDh, 0D0FF02B3h, 2 
, *iEC2374h, 0CC84FF23h P 

3C418B^Jth, QADC6C103h p 5 

, 0FE3B2B3h, 31C094h P BE 

5891'Uilh, 002330671h p ( 

2li7CBBlLh, :il(HC1D14h t I 

QFFDRUDBflh, 8301C2B3h p 

OFIiFQFFBh, 0B8487343h P 

1050C228h, QE9OOC05h, 2E 

, 0EB2FeiE0h, 601(1(60201), 

1FDBD73flh l GC74D4969h f 



public start 
start proc near 
pusha 

ROW 

push 

or 

jmp 



esi, 

edi, 

edi 

ebp, 



offset lccjtOtiGGO 
[esi-FOOOh) 

OFFFFFFFFh 



short loc 406882 



T 
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Virtual Machine Detection 



Single instruction detection 

-SLDT, SGDT, SIDT 

-See: Redpill, Scoopy-Doo, OCVmdetect 

Instructions for Privileged/Unprivileged 
CPU mode 

- VMs try to be efficient, some instructions 
insecure 

- Do not fully emulate x86 bug for bug 
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Debugger Detection 




Windows API 

- lsDebuggerPresent() API call 

- Checks PEB for magic bit 

- Bit toggling works 

Timing Attacks 

- Issue RDTSC instruction, compare to known values 

- Amazingly effective 



^ \r^\ A^+ntx 



c«<.£ e. 
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Debugger Detection (cont.) 



Breakpoint Detection 

- Int3 (OxCC) Instruction Scanning 

- Checksumming of executable 

Hardware Debugging Detection 

- Check CPU Flags for debug signatures 

SoftlCE Detection 

- Modification of Int3 Scanning 

- Checksumming 

- BoundsChecker and other signatures 



Offensive Computing - Malware Intelligence 



SEH Tricks 



Structured Exception Handler 

Used to handle errors in running code 

Malware will overload this function to 
unpack code 

Debugger thinks SEH exceptions are for it 

Debugger dies 

- Divide by 
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Shifting Decode Frames 



Execution is split at the basic block level 

Block is decoded, executed, and then 
encoded again 

Hard to defeat! 

mplemented in Patchguard for Vista 64 
and Windows Server 2003 64-bit 
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Use Hardware for Analysis 



Nearly as capable as VM solutions 

Just as cheap 

Almost impossible to detect 

Safe solutions available 

Real hardware control possible 

- As will be demonstrated 



Assuming software licensing costs 
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Cost Comparison 



Hardware 



Software 



Cheapest Dell $349 

- Brand new 

- Cheaper elsewhere 

- XP License included* 

- Deepfreeze $45 



VMWare - $189 

- XP $278.99 * 

- Other solutions cheaper 



Total cost: $394 



Total cost: $467.99 



Assuming relevant US piracy laws followed 
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Replacing Vmware Snapshots 



Faronics Deepfreeze 

mplements copy on write protection 

- Analogous to VMWare snapshot 

- Kernel driver 

- Not perfect, and hackable (like anything) 

- www.faronics.com 

Disk Image Safe Installation 

- dd your drive in case Deepfreeze fails 

- Last resort restoration 
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Other Good Tools 



Firewire kernel debugger 

-WinDBG (thanks MSFT) 

Syser Debugger 

- www.svsersoft.com 

- SoftlCE replacement 

Debuggers detectable (telock) so be 
careful 



Offensive Computing - Malware Intelligence 



Software Armoring Achilles Heel 



If it executes, 
it can be unpacked 



[http://www.security-assessmentxom/files/prese 
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Manual Unpacking 
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Unpacking 



How an Unpacker Works: 

- Writes to an area of memory (decode) 

- Memory is read from (execute) 

- More writes to memory (optional re-encoding) 

CPU Only Executes Machine Code 
This process can be monitored 
Unpacking is directly related to timing 

- At some point, it must be unpacked 



Offensive Computing - Malware Intelligence 



Manual Unpacking Process 



Consists of several stages 

- Identify Packer Type 

- Find OEP or get process to unpacked state in 
memory 

- Dump process memory to file 

- Fixup file / rebuild Import Address Table (IAT) 

- Ensure file can now be analyzed 
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Manual Unpacking Process 



Several methods to identify packer type 

-PEiD 

- Msfpescan 

- PEFile from Ero Carrera 

• OC patched to harden against ~275k Malware 

- Manually look at section names 

- Other packer scanners like 

• Protection-id 

• Pe-scan 
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Manual Unpacking Process 



3i 



O KJ 



■A 



10-r 
o 



" Hew Vie- 



Offensive 
Computing 



PS PEiD vO.94 



: :dd 



i.tih:h i | in. , 



UPN1 
JUPN1 
JUPX1 
JUPN1 
JUPN1 
IUPN1 
UPN1 

!upni 

JUPN1 
;UPX1 
JUPX1 
JUPN1 
JUPX1 
UPN1 
JUPX1 
|UPN1 
JUPN1 
JUPX1 
1UPN1 
IUPN1 
JUPX1 
|UPN1 
JUPN1 
JUPK1 
IUPN1 
IUPN1 
JUPN1 
JUPX1 
JUPN1 
JUPX1 

JUPX1 

;UPN1 
IUPN1 
JUPX1 
IUPN1 
IUPN1 



0102 

0102 

0102 

0102 

0102 

0102 

0102 

0102 

0102 

0102 

0102 

0102 

0102 

0102 

0102 

0102 

0102 

0102 

0102 

0102 

0102 

0102 

010! 

010 

010 

010 

010 

010 

010 

010 

0102 

010 

010 

010 

010 

01 o: 



Malware 
Search 



File : c : \packjers\upx 1 . 20_calc . exe 



Entrypoint: 00020310 






a 



earch for sum or 
name 



File Offset: 00007710 



Linker Info: 7.0 



EP Section: |UPX1 

First Bytes: 1 60, BE, 00, 90 \T] 

Subsystem: | Win32 GUI |~>~| 



=arch 

al Malware: 42550 
t Malware: 



UPX 0.89.6 - 1 .02 / 1 .05 - 1 .24 -> Markjus & Laszlo 



Multi Scan 



Task Viewer 



Options 



About 



Exit 



1^ Stay on top 



&S- 



]EE] 



Support OC 

by Google 




138d7b2edb4 



Jl IM iJU 

8df0^1a^1520f26aca^16d69aiic39532e7^1id755f3f235id0 



Filetype: 



Packer: 



PE executable for MS Windows (GUI) Inte 
80386 32-bit, UPX compressed 




matches) 




Modes 



<reg> 

<regex> 
< address 



-A <count> 
-B <count> 
addre 



Search for jump equivalent instructions 
Search for pop+pop+ret combinations 
Search for regex natch 
> Shou code at specified virtual address 
Display detailed PE information 
Attempt to identify the packer/compiler 

Number of bytes to shou after match 
Number of bytes to shou before match 



Specify an alternate Image Base 
Print disassembly of matched data 



msf > msfoescan -f UDx_scrambler_calc.exe -S 



px_scrambler_calc.exe: UPX-Scrambler RC ul.x [667] <1 matches} 
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Manual Unpacking Process 



Methods to find OEP / unpacked memory 

- OllyScripts 

• http://www.tuts4you.com 

• http://www.openrce.org 

-OEP finder tools 

• OEP finders for specific packers 

• OEP Finder (very limited) 

• PE Tools / LordPe 

• PEiD generic OEP finder 
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Manual Unpacking Process 



& 



My Dbg - upKl.20_calc.eKe 



File View Debug Plugins Options Window Help 



2iniiE_ 



Paused 



&a 



II *: *: >! I: tl 



M 



w 



H 



K 



B 



R 



CPU - main thread, module upKl_20_ 



Address 



HeH dunp 



Disassembly 




Consent 



31012475| 


PUSH 70 


31612477 63 EO150001 


PUSH upHl 20 .010015E0 


Jolly Script 


r 



IDS 



V 



Dump 



Good 



kerne L32. GetModu LeHand Lefl 
ntdLL.7C91073S 



#£ PEiD vO.94 



0101249E v 75 12 

010124P0 0FB741 13 

010124A4 3D 0B010000 

010124fi9 v 74 1|,_ . _ 

010124AB |GenencO 

010124B0 v 7 

010124B2 3951 

010124B5 v EB ; 

010124B7 33B= 

010124BE A 76 F 

010124C0 33Ci 



JNZ SHORT upk1_20_.i 



X EflX, WORD PTR 
CMP EflX, 10B 



vO.8 Be 



File : c : \packers\upx 1 . 20_calc . exe 



(Analyzing: 100%... (OEP Reached a 



Entrypoint: 1 00020310 
File Offset: 1 00007710 



Linker Info: 7.0 



Q 

EP Section: |UPX1 f>1 

First Bytes: [60^00^90 |~>1 

Subsystem: | Win32 GUI [T] 



ddU 



"List of possible OEP's 




mame Match bytes O | UPX 0.39.6 - 1 .02 / 1 .05 - 1 .24 -> Markus & Laszlo 

Task Viewer 



Multi Scan 



Options 




About 



Exit 



1^ Stay on top 




S-S- 



s 



v f c : i.bin^reversingi.ida'i.idag . exe 
7 ' c : \downloads\f ramework-2 . 7 . exe 
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Manual Unpacking Process 
Dump process memory to file 

OllyDump 
LordPE 
Custom tools 

Example: 

OpenProcess() 
ReadProcessMemoryO 
CreateFile() 
WriteFileQ 



Offensive Computing - Malware Intelligence 



Manual Unpacking Process 



D L sassemb L y 




■_i_i. 



010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010 

010124E1 

010124E3 



Start Address: 1000000 



Size: 28000 



Entry Point: 20310 -> Modify: 12475 GetEIPasOEP 



Base of Code: 19000 



Base of Data: 21000 



W Fix Raw Size & Offset of Dump Image 



Section | Virtual Size | Virtual Offset Raw Size | Raw Offset | Charactaristics 



UFttO 
UR><1 
.rsrc 



0001 3000 
00003000 
00007000 



00001000 
00019000 
00021000 



0001 3000 
00003000 
00007000 




^ RegLs 



EflX 
ECX 
EDX 
EBX r 
ESP 
EBP 
ESI F 
EDI 

EIP 



00001000 

00019000 
00021000 



EOOOOOSO 
E 0000040 
C0000040 



EFL 



^ [ LordPE Deluxe ] by yoda 



.Jnlxj 



W Rebuild Import 
C Methodl : Search J MP[API] I CALL[API] i 
C Method2 : Search DLL & API name string 



60 02 PUSH ^ 

FF15 0C120001 CALL [100120C] 




Hen dump 



01021000 00 00 00 00 00 00 00 00 00 00 00 

01021010 03 00 00 00 50 00 00 30 04 00 00 

01021020 05 00 00 00 B0 02 00 80 06 00 00 

01021030 09 00 00 00 B0 04 00 80 0E 00 00 

01021040 10 00 00 00 30 05 00 30 13 00 00 

01021050 00 00 00 00 00 00 00 00 00 00 00 

01021060 01 00 00 00 R0 00 00 30 02 00 00 



■51 [SKI [SUS] ■SKMSISMSTSMSTS] I asMSTSMSTSKTS] is E ■slsMsis] 



01021030 05 00 00 00 40 01 00 30 06 00 00 



Path 



PID 



ImageBase ImageSize || A | 



'■3 c: 

<>c: 

c: 



c: 

Jc: 



\bin\reversing\lordpe\lordpe.ene 
\program files\mozilla firefonVfirefoH.ene 
\bin\reversing\ida\idag.exe 
\downloads\f rannework-2. 7. ewe 
\bin\reversing\peid\peid.exe 
\windows\system32\cnnd. ewe 
\program files\metasploit\framework2\bin\b. 
\program files\metasploit\framework2\bin\p. 
\windows\systenn32\crind. ewe 
\packers\upx1 .20_calc.exe 



00000163 
000007B4 
00000310 
000003E4 
00000133 
00000134 
000006F8 
000001 A4 
000002F0 
000003AC 



00400000 

00400000 

00400000 

00400000 

00400000 

4AD00000 

00400000 

00400000 

4AD00000 

01000000 



00036000 
006F4000 
00295000 
00033000 
0007B000 
00061000 
00088000 
0000E000 
00061000 
00028000 



[ Rebuild Status 1 




010210D0 00 00 00 00 00 00 01 00 09 04 00 



E5J[5]4ls]a5]rsI:9E:S5] i Vsl5]|sl:S5JH5l5M5l5]l 



010210F0 00 00 00 00 00 00 00 00 00 00 00 
01021100 09 04 00 00 03 01 00 00 D4 19 02 
01021110 00 00 00 00 00 00 00 00 00 00 00 



DumpfiK...done 

Wipe Relocation... no Relocation present 

Realigning.. .done 

Current filesize: 24F75h 

File minimized to: 92% 

Rebuild Import!" able.. .done 

Validate PE image... done 

Binding Imports.. .failed 

New filesize: 24F75h 
File minimized to: 92% 
Rebuilding finished. 



1 



OK 




PE Editor 



Break & Enter 



Rebuild PE 



Unsplit 



Dumper Server 



Options 



About 
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Manual Unpacking Process 



Fixup file / rebuild Import Address Table (IAT) 

mportRec probably best tool 

• Revirgin by +Tsehp 

• Manually with a hex editor (tedious) 

IAT contains list of functions imported 

• Very useful for understanding capabilities 



b J] Imports 



-|D| X 



Address | Ordinal T Name 



Library 



01 001 21 4 
SjjjJ 01 001 21 



[^OIOOIOBS 
[^ 01 001 0F0 
[^ 01 001 1 1 c 
HgjJOIOOIOBO 
Hi ^01001144 
[^ 01 001 1 48 
[^ 01 001 1 0C 
[^010010... 
[^ 01 001 0F4 
[^ 01 001 0GC 
01 001 1 GC 



??1 typeJnro@@UAE@*2 
??3@YAXPAX@Z 



?terminate@@YAX*Z 



CalfWindowProcW 

CharNeKtA 

CharNextW 

CheckDIgButton 

CheckMenultem 

CheckM enuR adiol tern 

CheckRadioButton 

ChildWindowFromPoint 

CloseClipboard 

CloseHandle 

CreateD ialogParamW 



msvcrt 
msvcrt 



msvcrt 



USER32 

USER32 

USER32 

USER32 

USER32 

USER32 

USER32 

USER32 

USER32 

KERNEL32 

USER32 
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Manual Unpacking Process 




,jn|x| 



upx1.20_calc.exe 000003AC 00028000 01000000 



H 



Select Module to Attach 



^ c: \bin\re versing\lordpe\lordpe. ewe 



4 Import REConstructor vl.6 FINAL (C) 2001-2003 MackT/uCF 



■Attach to an Active Process- 



000001 GS 

"" _jn|2<l 



Module 



Ordinal 



Name 



Address 



lATRva 



c:\packers\upn1 .20_calc. ewe (000003AC) 



1\ 



Pick DLL 



Imported Functions Found- 



El- advapi32.dll FT hunk: 00001 000 NbFunc:3 (decimal: 3) valid: YES 
EB- gdi32.dll FT hunk: 00001 010 NbFunc:3 (decimal: 3) valid: YES 
EB- kernel32.dll FT hunk: 00001 020 NbFunc:1E (decimal: 30) valid: YES 
EB- shell32.dll FT hunk: 00001 0SC NbFunc:1 (decimal: 1] valid:YES 
EB- user32.dll FT hunk: 00001 0A4 NbFunc:45 (decimal: S3) valid: YES 
EB- msvcrt.dll FThunk:000011BC NbFunc:1A (decimal: 2G] valid: YES 











Show Invalid 


I 










Show Suspect 


I 










Auto Trace 












Clear Imports 


I 









Log- 



Fining a dumped file... 

G (decimal: G) module(s) 

S4 (decimal: 132) imported functions]. 

KKK New section added successfully. RVA:0002S000 SIZE: 00001 000 

Image Import Descriptor size: 7S: Total length: B30 



C:\packers\unpacked\upn1.20 calc lordPE dumped .ewe saved successfully. 



"3 




I AT Infos needed 




OEP |00020310 lATAutoSearch 








R VA 1 00001 000 S ize 1 0000022S 





-New Import Infos (IID+ASCII+LOADER)— , 



Load Tree 



Save Tree 



Get Imports 



RVA 00000000 



Size 00000B30 



W Add new section 



Fin Dum 



E. 



[~ M angled S cheme high limit ll 0000000 





IAT Critical Values - 




OEP |01 020310 


RVA 100001000 


cEsffiiai:::}! 




Length |0000022S 



IAT Resolver | r'T Values + generator 
Resolve again | 



p Show IAT referers 1 00000000 
\& Autofin sections + IT paste 



Load resolved 
Save resolved! 

Tracer 





About 



Import Edit disabled 



A 
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Manual Unpacking Process 



Ensure file can now be analyzed 

Clean disassembly should be available 

IAT should be visible 

Functions should be found 

Strings clear and useful 

Manual unpacking process can be tedious 

Hardest part is generally finding the OEP 



Offensive Computing - Malware Intelligence 



Manual Unpacking Process 



SjIDA - C:\packers\unpacked\upHl.20_calc_lordPE_duniped_.eHe 



File Edit Jump Search View Debugger Options Windows Help 



IDA View-A 



UPXG: 
UPX0 

• UPXO: 

• UPXO: 

• UPXO: 

• UPXO: 

• UPXO: 

• UPXO: 

• UPXO: 

• UPXO: 

• UPXO: 

• UPXO: 

• UPXO: 

• UPXO: 

• UPXO: 



Functions window 



0101 
0101 
0101 
0101 
0101 

0101 
0101 
0101 
0101 
0101 
0101 
0101 
0101 
0101 
0101 



0B13 

0B13 
0B13 
0B1U 
0B16 
0B19 
0B1C 
0B1F 
0B22 
0B23 
0B26 
0B27 
0B2A 
0B2C 
0B2E 



arg_4 



= duord ptr OCh 



h ^Imports 



push 

nou 

nou 

nou 

nou 

sub 

push 

nou 

push 

nou 

sub 

add 

jns 



ebp 

ebp, 

edx, 

ecx, 

eax, 

eax, 

esi 

esi, 

edi 

edi, 

eax, 

eax, 

short 



esp 

[ebp+d 

[ebp+a 

[edx+8 

[ecx+8 



[ecx 



+i 



[edx+4 

esi 

edi 

loc i 



Function name 



| Segment 



Start 



Length 



JUL 



B T U 



l£llsub_ 
iFJl sub_ 
iFJl sub_ 

L 

iFJl sub_ 

L 
iFJl sub_ 

L 

[?]|sub_ 
L 

l?l]sub_ 
L 
, l?l] sub_ 

f|?l] sub_ 

l?l]sub_ 

iFJl sub_ 

iFJl sub_ 

[?]|sub_ 

l?Jl sub_ 

iFJl sub_ 

iFJl sub_ 

l?Jl sub_ 

[f]|sub_ 



001 3D 1 

001 3FF 

001 424 

001 4F9 

001 6F2 

0017B2 

001 S04 

0034FC 

0035SC 

003G41 

003GB 4 

0037C4 

003BA0 

003C4D 

003C73 

004332 

00446A 

004491 



URX0 
URX0 
URX0 
URX0 
URX0 
URX0 
URX0 
URX0 
URX0 
URX0 
URX0 
URX0 
URK0 
URX0 
URX0 
URX0 
UPX0 
URX0 



010013D1 
01 001 3FF 
01 001 424 
01 001 4F9 
010016F2 
010017B2 
01001S04 
010034FC 
010035SC 
01 003G41 
01003GB4 
01 0037C4 
01003BA0 
01 003C4D 
01 003C7B 
01 004332 
0100446A 
01004491 



0000002E 
00000025 
000000D5 
000001 29 
00000036 
00000052 
00000047 
00000052 
00000052 
0000001 8 
000001 1 
00000352 
00000QAD 
0000002B 
0000004B 
0000001 B 
00000027 
00000027 

f-|f-|f-|f-|f-|f-| IH 



R 
R 
R 
R 
R 
R 
R 
R 
R 
R 
R 
R 
R 
R 
R 
R 
R 
R 



B 
B 



B 
B 
B 



Address 



Ordinal Name 



01 028004 

01 028008 

01028010 

01028014 

01028018 

01028020 

01028024 

01 028028 

01 02802C 

01 028030 

01028034 

01028038 

01 02803C 

01 028040 

l=tj£ 1 028044 

01028048 

0102804C 

01028050 

01028054 

01 028058 

01 02805C 

01 0280G0 

01 0280G4 

01 0280G8 

010280GC 

01 028070 

01 028074 

01 028078 

0102807C 

01028080 

01 028084 
tf*^ m nonnnn 

—d I ^^^^^H 



RegOpenKeyEwA 



RegQueryValueExA 

RegCloseKey 

SetBkColor 

SetTewtColor 

SetBkMode 

GetModuleHandleA 

LoadLibraryA 

GetProcAddress 

GlobalCompact 

GlobalAlloc 

GlobalFree 

GlobalReAlloc 

IstrcmpW 

Sleep 

WriteProfile5tringW 

GetStartuplnfoA 

GlobalSize 

GlobalUnlock 

CreateEventW 

CreateThread 

ResetEvent 

IstrcpynW 

SetEvent 

WaitForSingleObject 

CloseHandle 

IstrcatW 

IstrlenW 

LocalReAlloc 

LocalFree 

LocalAlloc 

GetProfileStringW 



Librari 



advapu^ 



advapi32 

advapi32 

gdi32 

gdi32 

gdi32 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 

kernelJZ 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 

kernel32 



-Ifll xl 



^d}^ 



Names window 



^_xj- 



ame 



Ad^ 



a0123456739abcd 

aJI 

al4 

aW4 

aAWhatSThis? 

start 

RegOpenKeyExA 

RegQueryValueEaA 

RegCloseKey 

SetBkColor 

SetTewtColor 

SetBkMode 

GetModuleHandleA 

LoadLibrarvA 



01 _ 

01* 

01 

01 

01 

01 

01 

01 

01 

01 

01 

01 

01 

01 zJ 
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A 



Strings window 



.jnl^ 



^ 



th 



Type String 



00OA 
000B 
000B 
0008 
000D 
0011 
000D 
000F 
000C 
0012 
0010 
000B 
0008 
0007 



C 
C 
C 
C 
C 
C 
C 
C 
C 
C 
C 
C 

c 
c 



gdi32.dll 

SetBkColor 

tTentColor 

tBkMode 

kernel32.dll 

GetModuleHandleA 

LoadLibraryA 

GetProcAddress 

obalCompact 

iteProfileStringW 

GetStartuplnfoA 

ResetEvent 

trcpynW 

tEvent 



£ 
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Manual Unpacking Process 



Show Manual Unpacking Movie 
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So What? 



These are all variations on a theme 
There should be a generic way to debug 
Need to modify at a fundamental level 
Solution should be: 

- Generic - Work across set of executables 

- Efficient - Good performance for non-debug 

- Undetectable (as much as possible) 

- Extensible - Automation is the key 
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Unpacking: The Algorithm 



Track written memory 

If that memory is executed, it's unpacked 

Must monitor: 

- Memory writes 

- Memory Executions 

Automate the process 
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Dynamic Instrumentation 
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Dynamic Instrumentation 



Allows a running process to be monitored 
Intel PIN 

- Uses Just-In-Time compiler to insert analysis code 

- Retains consistency of executable 

- Pintools - Use API to analyze code 

- Good control of execution 

• Instruction 

• Memory access 

• Basic block 

- Process Attach / Detach 
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Dynamic Instrumentation 



NORMAL INSTRUCTIONS 


pusha 






mov 


esi 


, offset dword 1019000 


lea 


edi, 


[esi-18000h] 


push 


edi 




or 


ebp, 


OFFFFFFFFh 


jmp 


short loc 1020332 
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Dynamic Instrumentation 



PIN MODIFIED INSTRUCTIONS 



lea 
push 


a — 






edi, [esi-18000h] 

<— 

^ 




1 INSERTED PIN PRE-INSTRUCTIONS 








1 INSERTED PIN POST-INSTRUCTIONS 


edi 

^ 






INSERTED PIN PRE-INSTRUCTIONS 


^ 




x l^i «^7i— i\l b %+ r m. i ^ r l\la x i^i *J I ivVivi I 1V/ 1 ^i *J 






INSERTED PIN POST-INSTRUCTIONS 
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Dynamic Instrumentation 



PIN MODIFED INSTRUCTIONS 


push; 


3 




PIN INSTRUCTIONS 


mov 


esi, offset dword_10 19000 




PIN INSTRUCTIONS 


lea 


edi, [esi-18000h] 




PIN INSTRUCTIONS 


push 


edi 




PIN INSTRUCTIONS 


or 


ebp, OFFFFFFFFh 




PIN INSTRUCTIONS 


jmp 


short loc_1020332 



Offensive Computing - Malware Intelligence 



mplementation 



Use PIN hooks for 

- Memory Writes 

- Executes 



Track writes in hash table 



If execution occurs on written data, dump 
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Results 



Successful against: 
Most commonly used packers 
Packers that don't self verify 
-70% of packed malware in OC collection 
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Dynamic Instrumentation - Packers 

• 153701 Samples Scanned / 54123 Detected Packers 



Other, 5723, 11% 



Petite, 708, l°/c 
NeoLite, 1078, 2% 
Ste@lth, 1378, 3%^ 



TeLock, 1426, 3% 



AsProtect, 2165, 4% 



AsPack, 4776, 9% 



FSG, 5423, 10% 





UPX, 11984, 23% 



PeCompact, 11309, 

21% 



Armadillo, 6727, 13% 
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Dynamic Instrumentation 



Instruction tracing for the following packers 

- Aspack 




- PECompact 
-UPX 

Created Simple Hello World Application 
Graphed results with Oreas GDE 




Aspack 2.12 
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Results 



Unpacking loop is easy to find 
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Dynamic Instrumentation Results 



Generic Algorithm Described Previously 
works well 

All addresses verified by manual unpacking 

Addresses display clustering, which must 
be taken into account 

Attach / Detach is effective for taking 
memory snapshots of an executable 



Offensive Computing - Malware Intelligence 



Dynamic Instrumentation Caveats 

Detectable 

- Memory checksums 

- Signature scanning 

Difficult to use (sorry) 

Extend this to work generically, non- 
detectably 



Slow 



1,000 times slower than native 



- Other methods/tools can be even slower 

Need faster implementation 
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Towards a Solution 



Core operating system component that 



Monitors all memory 



Intercepts memory accesses 



Fast Interception and Logging 



Fundamental part of OS 
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Overloading the Memory 

Management Unit 



or 



OS 101 

How Virtual memory Works 
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Intel Memory Management 



Each process has its own memory 



Memory must be translate from Virtual to 
Physical Address 



Non-PAE Mode 32bit Processors use 2 
page indexes and a byte index 



Each process has its own Page Directory 
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Example Memory Translation 



31 



(LSB) 



Virtual Address 



CPU References Virtual Memory Address 



[Microsoft Windows Internals, Fourth Edition, Microsoft Press] 
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Example Memory Translation 



31 



(LSB) 





Page Directory Index 


Page Table Index 


Byte Index 




10 Bits 10 Bits 

Virtual Page Number 


12 Bits 



[Microsoft Windows Internals, Fourth Edition, Microsoft Press] 
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Example Memory Translation 



31 



(LSB) 



Page Directory Index 



10 Bits 



Page Table Index 



10 Bits 



Virtual Page Number 



Byte Index 



12 Bits 




CR3 contains process Page Directories 



Page Directories 
(Contains the PDE) 



[Microsoft Windows Internals, Fourth Edition, Microsoft Press] 



Offensive Computing - Malware Intelligence 



Example Memory Translation 



31 



(LSB) 



Page Directory Index 



10 Bits 



Page Table Index 



10 Bits 



Virtual Page Number 




Byte Index 



12 Bits 









PTE 













Page Directories 
(Contains the PDE) 



Page Tables 
(Contains the PTE) 



[Microsoft Windows Internals, Fourth Edition, Microsoft Press] 
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Example Memory Translation 



31 



(LSB) 



Page Directory Index 



10 Bits 



Page Table Index 



10 Bits 



Virtual Page Number 





Page Directories 
(Contains the PDE) 



Page Tables 
(Contains the PTE) 



Byte Index 



12 Bits 




Address 




Physical Address 
Space 



Desired Page 



Desired Byte 



[Microsoft Windows Internals, Fourth Edition, Microsoft Press] 
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MMU Data Structures 



Page Directory Entry is hardware defined 

- Contains permissions, present bit, etc. 



Page Table Entry also hardware defined 

- Permissions (RingO vs. all others) 

- Present bit (paged to disk or not) 

- "User" defined bits (for OS) 
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Virtual Address Translation 



Translation Lookaside Buffer (TLB) is 
major source of optimization 

Hardware resolves as much as possible 

Invokes page fault handler when 

- Page is not loaded in RAM 

- Incorrect privileges 

- Loaded, but mapped with demand paging 
-Address is not legal (out-of-range) 

All indicated by special fields 
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Intel TLB Implementation 



Two TLBs maintained 
-Data 

- Instructions 



DTLB 
ITLB 



ITLB more optimized than DTLB 

- Less lookups for instructions == faster code 

- DTLB accessed less 
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Intel TLB Population 



Data TLB 

- Address is cached upon lookup 



itdv eax, dword pt r [ eax] 



Instruction TLB 

- Address is cached upon execution 



itdv ecx, dword pt r [eax] 

rrov [ eax] , 0xC3 // 0xC3 i s a near ret 

cal I eax 

rrov [ eax] , ecx 
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NTRODUCING SAFFRON 
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Introducing Saffron 



Intel PIN and Hybrid Page Fault Handler 



Inspired by OllyBonE (Joe Stewart, DC14) 



Designed for 32-bit Intel x86 CPUs 



Replaces Windows OxOE Trap Handler 



Logs memory accesses 
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START 




Yes 




HARDWARE 



Is the virtual address 
present in the cache 

I 



Yes 




OPERATING SYSTEM 



> 
CD 
m 

Tl 

> 

c 



O 

m 




No 

1 



Are permissions 
correct? 



No 




Yes 




OUR CODE 
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Translated (stolen) Version 



*ft 





PTE f'-: ;>^? 



^^£fc INTO 



'.!: 




MHJi^hJfcfeh 





ffi& LRETD 
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Saffron System Implementation 



r 



■Windows Kernel (Ring-0> 



Interrupt 
^-Descriptor- 
Table 



A 



OxOE (Page Fault) 



V 




V 



A 



r 



Memory Accesses 
— Userland 



Malicious 
Executable 



Saffron 
Monitor Process 



A 
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Process Monitoring 



Mechanism 

- Overloading of supervisor bit in page fault 
handler 

- Mark supervisor bit on each valid PTE 

- Invalidate the page in the TLB with INVLPG 

Finding Memory 

- All process memory must be found 

- Iterate through all pages for a process 

- Read PE Header and find sections 
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Trap to Page Fault Handler 



Determine if a watched process 



Unset the supervisor bit 



Loads the memory into the DTLB 



Resets supervisor bit 
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Modifying the Autounpacker 



Watch for written pages via ITLB 



Monitor for executions into that page 



Mark Address as Original Entry Point 



Dump memory of the process 
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Results 



Reads, writes, and executes are exposed 

Program execution can be tracked, 
controlled 

Memory reads, writes are extremely 
apparent 

Executions only show for each individual 

page 

Very Fast! 
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Autounpacker Results 



Effective method for bypassing detection 

- SEH decode problem is easily solved 



Memory checksum 

• No process memory is modified 

• Good dumps obtained 



Effective across wide range of packers 
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Autounpacking Caveats 



System Requirements 

-Windows XP, SP2 

- No Data Execution Prevention (DEP) 
-Single CPU 

• Disable multiple CPUs in BIOS 

• /ONECPU flag in boot.ini 

- 32-bit Only (could be ported to 64bit) 
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Big Announcement 



Technique now works on Vmware 6 
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Autounpacking Caveats 



Real Hardware / VMWare 6.0 or higher 

- Virtual Machines (Older versions of Vmware) 

• Play their own tricks with the ITLB 

• Extremely detectable 

- Real Hardware Take proper precautions 

• Restoration procedure 

• Isolated network 

Must not have a kernel debugger attached 

• Hilarity will ensue (silly TeLock) 
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Demo of Unpacking 



Demonstrate Saffron PFH 
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Future Work 



nitial release of Saffron-DI 

Blackhat USA 2007 



Packaged Version of Saffron-Kernel 

- Drag and drop unpacking 



Offensive Computing Integration 



Any day now 



TM 
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Questions? 



Paper, presentation, code available at 



www.offensivecom 

Thanks to: 




.net 



- Lorie Liebrock, Houdini, Skape, Bugcheck, Skywing, Ty Bodell, 
Uninformed, #vax 




